WebKit in Apple iOS before 9.3.5 allows remote attackers to execute arbitrary code or cause a denial of service via a crafted web site.